Support Center > Search Results > SecureKnowledge Details
SecureXL sends the traffic with Destination MAC Address 00:00:00:00:00:00
Symptoms
  • Some connections can not be initiated through Security Gateway. Repeated attempts to connect eventually succeed.

  • SmartView Tracker does not show any drops.

  • Traffic capture (tcpdump) shows that traffic enters the Security Gateway and exits the Security Gateway.
    Closer inspection shows that traffic exits with Destination MAC Address 00:00:00:00:00:00.

  • Disabling SecureXL resolves the issue.

  • Kernel debug ('fw ctl debug -m fw + conn') shows that the traffic is accepted in both Inbound and Outbound (;VM Final action=ACCEPT;).

    SecureXL debug ('fwaccel dbg -m general + offload nat' ; 'fwaccel dbg -m db + routing') shows that SecureXL sends the traffic with Destination MAC Address 00:00:00:00:00:00.

    Example:

    ... ... ...
    ;After VM: <dir 1, Client_IP_Address:Source_Port -> Server_IP_Address:Dest_Port IPP 6> (len=52) TCP flags=0x2 (SYN), seq=a7645c0f, ack=0, data end=a7645c10 ;
    ;VM Final action=ACCEPT;
    ; ----- Stateful VM outbound Completed -----

    ;cphwd_chain_to_vm_connkey: obtained vm_connkey <dir 1, Client_IP_Address:Source_Port -> Server_IP_Address:Dest_Port IPP 6>;
    ;cphwd_db_save_routing_info_ex: conn=<dir 1, Client_IP_Address:Source_Port -> Server_IP_Address:Dest_Port IPP 6>, c2s_packet=1, c2s_route=0, dir=1;
    ;cphwd_db_save_routing_info_ex: found conn in db. New route detected.;
    ;cphwd_crypt_should_update_route: returns with rc 0;
    ;cphwd_db_handle_s2c_routing_info_ex: (c2s_pkt=1) client_ifn=6, server_ifn=7, s2c_server_ifn=7, s2c_client_ifn=6;
    ;cphwd_db_handle_s2c_routing_info_ex: perform anti-spoofing check on src addr Server_IP_Address, ifn 7;
    ;cphwd_db_save_routing_info_ex: found server route for <dir 1, Client_IP_Address:Source_Port -> Server_IP_Address:Dest_Port IPP 6>, ifn=7: (update_f2f=0);
    ;dst: 00:00:00:00:00:00 <--> src: 00:XX:XX:XX:XX:XX;
    ;cphwd_db_save_routing_info_ex: conn <dir 1, Client_IP_Address:Source_Port -> Server_IP_Address:Dest_Port IPP 6> saved in db (flags=0x1c).;
    ;get_conn_nat: outbound NAT applied: <dir 1, Client_IP_Address:Source_Port -> Server_IP_Address:Dest_Port IPP 6>-><dir 0, Server_IP_Address:Dest_Port -> NATed_IP_Address:Dest_Port IP
Cause

SecureXL SIM device did not initialize the routing table properly.


Solution
Note: To view this solution you need to Sign In .